Another entry in the internet security hall of shame....

Stephan Neuhaus neuhaus at st.cs.uni-sb.de
Wed Sep 7 10:29:52 EDT 2005 

Peter Gutmann wrote:
> Alaric Dailey <alaricd at pengdows.com> writes:
>>In my opinion, PSK has the same problems as all symmetric encryption, its
>>great if you can share the secret securely, but distribution to the masses
>>makes it infeasible.
> 
> 
> Exactly, PSK's are infeasible, and all those thousands of web sites that have
> successfully employed them for a decade or more are all just figments of our
> imagination.  By extension, ATMs are also infeasible.

I don't know about New Zealand, but in Germany, ATM PINs (and 
homebanking TAN lists) are sent in special envelopes that you can't see 
through, even when holding them against a light.  That's exactly the 
sort of distribution method that would be needed for PSKs to have 
desirable security properties and to make them feasible, and that's 
exactly the distribution method that Joe's Used Condoms can't use 
because it's too expensive.  Also, it would preclude doing business with 
someone you don't already know.

Also, phishing isn't done on "all those thousands of web sites that have
successfully employed [passwords] for a decade or more"; it's just done 
on those where there's money to be had.  Where it's done, it very often 
works.  How is that a "successfuly employed" security model?

> Sarcasm aside for a minute, several people have responded to the PSK thread
> with the standard "passwords don't work, whine moan complain" response that
> security people are expected to give whenever passwords are mentioned.  It's
> all the user's fault, they should learn how to use PKI.

I think you're talking about me here, so I think I should clear some 
things up.  First of all, I don't think that users should learn how to 
use PKI.  I don't use PKI (much) because I think it's too bloody 
complicated, and I am certainly an educated user.  I wouldn't dare foist 
  PKI on uneducated users.  (There is a great parody by Stenkelfeld, a 
German radio comedy show, about the difficult HBCI procedure then in use 
at Haspa, the largest German savings bank.  It's in German, but I can 
get you an MP3 if you want.  And there isn't even that much I in HBCI's 
PKI.) But I'm no expert on PKI, so I asked a question instead, namely 
whether PKI wasn't going to make it for the web.  Second, I also didn't 
say that passwords didn't *work*, I said that they had *storage and 
management issues* that certificates did not have and that their 
deployment would be problematic because of that, and I stand by that.

The reason for my opinion has nothing to do with any knee-jerk standard 
reaction in relation to passwords, except perhaps for the problem of 
transferring them securely; see above.  (I think the problem is real 
under many threat models; you may disagree.) Rather, it is my impression 
that a switch to TLS-PSK would not just be a client-side thing, but that 
server code would have to be changed also, and that it is this issue 
which will prevent widespread deployment of TLS-PSK.  This has nothing 
to do with what users want or can do, and it has nothing to do with the 
technical feasibility of passwords.

> The failing is in the security community.

We completely agree.  We have failed to produce practical and secure 
solutions.  To repeat, I especially agree that PKI is a solution in 
search of a problem, and that it's not practical for web commerce.

I also agree that password authentication is not inherently poor, and if 
we could turn the clock back ten years, that's what we should do.  I 
also agree that passord-based authentication was trivial to 
implement---ten years ago!  Today it's not going to be anyway near trivial.

> Here's my proposal for an unmistakable TLS-PSK based authentication mechanism
> for a browser: [...]

If I were a phisher, I'd set up a web site having normal text boxes for 
username and password.  On it, I'd put a link "why isn't the URL bar 
blue?" and use some technical mumbo-jumbo about how for technical 
reasons, the feature needed to be disabled in the browser, but that the 
passwords were of course secure (there was a posting on this list to the 
effect that a bank actually did this or something very similar).  Or 
maybe that this particular browser isn't supported with TLS-PSK (DiBa 
doesn't support anything but IE, for example, and logins will 
mysteriously fail if attempted with any other browser).  I bet that'd 
work, no matter how unspoofable the TLS-PSK password entry were.

> It doesn't solve *all* phishing problems, but it's a darn sight better than
> the mess we're in now.

OK, I'm willing to concede that I probably don't understand many of the 
issues, technical or otherwise, and that I don't have a solution to 
offer myself, so I'll shut my trap (except if directly challenged, or in 
private email) until someone has made a decent try to get browser makers 
to support both TLS-PSK and to include unspoofable password entry 
methods.  Then we'll see how merchants react to this and what the 
ultimate consequences are.

Fun,

Stephan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: neuhaus.vcf
Type: text/x-vcard
Size: 394 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050907/7d9d5770/attachment.vcf>

More information about the cryptography mailing list